It’s a multiserver OS on top of a microkernel, what almost everyone in the academic community of the 90s assumed would be the future of single-computer systems (see e.g. the Tanenbaum—Torvalds debate). The security framework at runtime is capabilities[2,3] (“object-capabilities”, not the weird draft POSIX thing) as opposed to ACLs; that is, you can access an object to the exact extent that you can name it, and those names are system-mediated and unforgeable (POSIX fds are capabilities; POSIX filenames are not; public Google Docs links kind of are in that it’s infeasible to guess them).
Basically, this is mainstream thinking as of the last point researchers seriously thought about single-machine OSes, sometime in the early 00s. And unlike most products of that thinking, it’s a fairly complete desktop system that can do a fair amount of desktop things. At the very least, it’s a proof by construction that this approach can actually serve as the foundation for a practical system.
(Hardware support sucks, of course, but with hardware manufacturers guarding their docs more closely than their genitals it’s a miracle you can actually get any PCs to work at all without Microsoft’s clout.)